1. Field of the Invention
This invention pertains in general to protecting a computer from malicious software and in particular to techniques for detecting malicious software that uses stealth network communications to hide its presence.
2. Description of the Related Art
There is a wide variety of malicious software (malware) that can attack modern computers. Malware threats include computer viruses, worms, Trojan horse programs, spyware, adware, crimeware, and phishing websites. Modern malware is often designed to provide financial gain to the attacker by stealing confidential information. For example, malware can surreptitiously capture logins, passwords, bank account identifiers, and credit card numbers and send this information to a remote server on the Internet. Similarly, the malware can provide hidden interfaces that allow the attacker to access and control the compromised computer. In some cases, the attacker assembles a vast number of compromised computers, called “bots,” and uses the bots to launch distributed denial-of-service (DDOS) attacks and perform other malicious actions.
Traditional security techniques for detecting and blocking malware include malware scanners and firewalls. Malware scanners typically detect malware residing on a computer through signature-scanning and/or heuristic-based techniques. Once detected, the malware can be removed from the computer. Firewalls, in contrast, monitor network communications in order to identify, and optionally block, unknown and/or unauthorized traffic. The risks associated with malware that relies on network communications with a home base can be mitigated if the firewall blocks the communications. For example, blocked malware cannot send captured information to its home base and cannot participate in DDOS attacks.
Unfortunately, malware is increasingly difficult to detect using conventional security techniques. A malicious website might automatically generate new malware code for every few visitors. As a result, it becomes impractical to generate signatures (and use signature scanning-based techniques) to detect it. In addition, some malware uses “stealth” or “rootkit” techniques to hide its presence from malware scanners.
Equally troubling is that malware can use stealth techniques to hide its network communications from conventional software firewalls. For example, the malware can patch the Network Driver Interface Specification (NDIS) layer functionality provided by MICROSOFT WINDOWS and other operating systems to hide communications from the firewall. Likewise, the malware can insert an alternative network communications stack into the operating system that the firewall does not recognize. Hardware firewalls are often unable to detect and block malware communications because the malicious network traffic is usually indistinguishable from other traffic.
Accordingly, there is a need in the art for a way to detect and block stealth network communications in order to prevent malware from communicating with its base and/or performing other malicious actions.